O2 Attracts Most Data Breach Complaints In All Of Britain

Exclusive: An FOI request reveals O2 has attracted more data protection complaints in one year than Google and Sony combined

Major British operator O2 attracted more complaints relating to data breaches over the last year than any other public or private organisation in the UK, whilst the Department of Work and Pensions (DWP) received more than any government body.

The figures, revealed when TechWeekEurope made a freedom of information (FOI) request to the Information Commissioner’s Office (ICO), showed the watchdog received 48 complaints over alleged O2 data breaches between 28 August 2011 and the same date this year.

The ICO looked at complaints surrounding “disclosure of data” and “security”, both of which it said related to data protection issues and information breaches in particular.

O2 said a select group of “trusted partners” were handed phone numbers to manage age verification and premium content billing, as well as for identifying O2 customers for services such as the Priority Moments reward scheme. But the flaw meant numbers were also revealed to untrusted partners until the fix was issued.

The ICO was considering an investigation, but confirmed the issue was resolved in July, with no further action needed.

O2 had little to say on the FOI’s findings. “We take data protection very seriously,” an O2 spokesperson said.

“This is the number of complaints which the ICO has received, it does not necessarily mean that ICO upheld the complaints.

“The Privacy Policy on our website helps O2 customers understand how we manage their data and use their information – if they have any concerns, our Customer Service team are available to help.”

O2 more maligned than Google and Sony combined?

Yet O2 might want to take a hint from the data. The FOI request data shows Telefonica UK, the owner of the O2 brand, received more complaints than either Google and Sony combined, even though both were involved in high-profile investigations by the ICO following significant data breaches.

Since April 2011, when the massive Sony PlayStation Network breach happened, leaking data on 77 million users globally and 3 million in the UK, the ICO has only received six complaints relating to the Japanese electronics giant. Only one of those complaints mentioned the PSN breach, indicating UK gamers were not too bothered by the hack.

The ICO continues to investigate the Sony data breach. Having told this publication a decision was imminent way back in March, it has still not made an announcement. A spokesperson said today that a decision may be reached in the next few weeks. Our FOI request asked for access to communications between ICO and Sony, but this was declined as the ICO FOI team said public interest was not sufficient.

As for Google, the ICO figures revealed a mismatch between media interest and public concern. In a Wi-Fi data slurping debacle in 2010, known as “WiSpy”, Google’s Street View cars harvested personal data from any unencrypted Wi-Fi networks they encountered while mapping the UK’s roads. Despite media and regulator scrutiny, few people actually seem to have complained to the ICO about Google.

Between 1 January 2009 and 28 August 2012, there were just 30 complaints relating to Google. Of those, 17 related to Street View, but 14 were only complaints about Street View images. Just three related to the Wi-Fi data slurping issue.

In July, the ICO reopened its investigation into that case, after fresh details emerged, as a US Federal Communications Commission (FCC) report found Google workers knew about the code that captured data, even though Google previously indicated the whole debacle was just a mistake.

The FCC report also suggested more personal data was collected than originally believed, including medical listings, information in relation to online dating and visits to pornographic sites.

Public sector problems

In the public sector, the Department of Work and Pensions (DWP) attracted more complaints than any other public sector body over the past year. However, it sparked 38 complaints over alleged breaches, which was less than O2’s total of 48.

This could give extra ammunition to those who have criticised the ICO for fining public bodies more often than it penalises those in the public sector.

Data protection issues at the DWP were also exposed by an FOI request put in by Channel 4’s Dispatches programme, which revealed in May that 992 DWP staff members had been disciplined for data offences in just ten months.

According to Computer Weekly, public bodies have sacked at least 120 employees for abusing access to the Customer Information System, thought to be the “largest government database of personal information in Europe”.

The DWP did not talk about the new figures directly, sending over this response from a department spokesperson: “The DWP employs nearly 100,000 staff serving over 20 million people at any one time, carrying out millions of data transactions a year.

“We take all complaints about data protection extremely seriously. We have a number of security measures in place to protect personal data and tough disciplinary procedures for any members of staff found to have breached data protection rules.”

ICO fines in question

Stewart Room, data protection lawyer and partner in Field Fisher Waterhouse’s Privacy and Information Law Group, said he was surprised by the low numbers of complaints. That could undermine the ICO’s perceived authority to issue fines, as the watchdog has to base its monetary penalties on the effect on people’s lives.

“It suggests that members of the public in the UK are not as stressed out by data protection as the regulators might have us believe,” Room said – or else they may not actually know about the ICO and its powers.

“This is very important to the issue of financial penalties also, because ICO has to show a likelihood of harm – namely damage or distress – resulting from bad data protection before it can issue a fine.

“If people are not complaining in any meaningful sense, one wonders how it will be possible for ICO to claim a likelihood of harm when it comes to fines.”

UPDATE: The ICO wanted to make it clear that the FOI request was for alleged breaches where the nature of the complaint was recorded as security or disclosure of data only. The article has been amended slightly to make that clearer.

Web-based marketing is widespread amongst companies of all sizes, at the same time, online advertising is undergoing significant changes. As a result, many web managers have become frustrated as previously successful Search Engine Optimisation (SEO) and online advertising techniques no longer generate the returns they used to in terms of increasing website visitors and conversion […]

In addition, people are still wary about doing business online. Trust and security should be core parts of your website strategy alongside design, hosting, SEO and marketing. Yet, companies often don’t pay enough attention to these factors with potentially disastrous consequences. This white paper lists six threats to your website and what you can do […]

The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information […]

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.

Stewart Room claims that the complaint numbers are low and this might interfere with the ICO’s ability to issue Civil Monetary Penalties (they’re not fines). Given that they’ve already issued dozens with one amounting to £325,000, I think they’ve established that this probably isn’t an issue. Complaints are separate to the large security and accuracy breaches that result in ICO CMPs.

Lets look at the largest CMP issued to date – given to Brighton and Sussex NHS Trust for allowing patient records to be sold on Ebay. Amongst the data disclosed were 67,642 peoples names, DOB’s and STD results – were those individuals even notified by the organisation in question what had happened? If not, how could they be expected to complain to the ICO? In anycase, would the receipt of a given number of complaints by the regulator really demonstrate the likelihood of harm – or can a reasonable judgement be made that disclosing this type of information is ‘likely to cause substantial damage or substantial distress’?

Mr Room would, or perhaps should, be expected to know far more about this than your average Data Protection expert, given it was his firm who apparently represented/advised Brighton in the above matter – advice which led to alot of strongly worded press releases criticisng the ICO penalty, but ultimately a belated acceptance of the amount. That advice cost the taxpayer £168,259,59k.

The problem with the complaints is that most of the general public don’t know who to complain to. If their credit card details are compromised, they will complain to their credit card company when rogue transactions appear. However when personal information is stolen, the impact on the individual concerned might bot be apparent for some time. They may only realise that their identity has been stolen when they can’t get new mortgage credit, or another credit card. At that point the first place they will complain will be —- the bank again. Without sensible disclosure policies to the public its not possible for a member of the public to know a) if they might be affected b) what to look out for.
The card companies have great ways to work out where stolen cards have been used and can correlate it to work out the likely point of compromise. We can’t do that with our personal information.
Generally people only complain when something affects them directly – it can take a long time to determine whether your identity has been stolen and then try to figure out who’s at fault.